Buy ‘plug-n-play’ malware for the price of a pint of beer

A wide variety of malwares and vulnerability exploits can be bought with ease on underground marketplaces for about $10 (£8.40) on average, according to new statistics – only a few pennies more than the cost of London’s most expensive pint of beer.

The average price of a pint of beer has risen by 70% since the 2008 financial crisis and earlier this year, researchers at customer experience consultancy CGA found one pub in London charging £8.06. The researchers, perhaps sensibly, did not name the establishment in question.

But according to a new report, The evolution of cybercrime: why the dark web is supercharging the threat landscape and how to fight back, produced by HP’s endpoint security unit HP Wolf Security, the price of cyber criminality is tumbling, with 76% of malware advertisements, and 91% of exploits, found to retail for under $10.

Meanwhile, the average cost of an organisation’s compromised remote desktop protocol (RDP) credentials clocked in at just $5 (£4.20) – a far more appealing price for a beer as well, especially in London.

Vulnerabilities in niche systems, predictably, went for higher prices, and zero-days, vulnerabilities yet to be publicly disclosed, still fetch tens of thousands of pounds.

HP Wolf’s threat team got together with forensic specialists Forensic Pathways and spent three months scraping and analysing 35 million posts on dark web marketplaces and forums to understand how cyber criminals operate, gain each other’s trust, and build their reputations.

And unfortunately, said HP senior malware analyst and report author Alex Holland, it has never been easier or cheaper to get into cyber crime.

“Complex attacks previously required serious skills, knowledge and resource, but now the technology and training is available for the price of a gallon of gas,” said Holland. “And whether it’s having your company and customer data exposed, deliveries delayed or even a hospital appointment cancelled, the explosion in cyber crime affects us all.

“At the heart of this is ransomware, which has created a new cyber criminal ecosystem rewarding smaller players with a slice of the profits. This is creating a cyber crime factory line, churning out attacks that can be very hard to defend against and putting the businesses we all rely on in the crosshairs.”

The exercise also found many cyber criminal vendors bundling their wares for sale. In what might reasonably be termed the cyber criminal equivalent of a supermarket meal deal, the buyers receive plug-and-play malware kits, malware- or ransomware-as-a-service (MaaS/RaaS), tutorials, and even mentoring, as opposed to sandwiches, crisps and a soft drink.

In fact, the skills barrier to cyber criminality has never been lower, the researchers said, with only 2-3% of threat actors now considered “advanced coders”.

And like people who use legitimate marketplaces such as Ebay or Etsy, cyber criminals value trust and reputation, with over three-quarters of the marketplaces of forums requiring a vendor bond of up to $3,000 to become a licensed seller. An even bigger majority – over 80% – used escrow systems to protect “good faith” deposits made by buyers, and 92% had some kind of third-party dispute resolution service.

Every marketplace studied also provides vendor feedback scores. In many cases, these hard-won reputations are transferrable between sites, the average lifespan of a dark web marketplace clocking in at less than three months.

Fortunately, protecting against such increasingly professional operations is, as ever, largely a case of paying attention to mastering the basics of cyber security, adding multi-factor authentication (MFA), better patch management, limiting risks posed by employees and suppliers, and being proactive in terms of gleaning threat intelligence.

Ian Pratt, HP Inc’s global head of security for personal systems, said: “We all need to do more to fight the growing cyber crime machine. For individuals, this means becoming cyber aware. Most attacks start with a click of a mouse, so thinking before you click is always important. But giving yourself a safety net by buying technology that can mitigate and recover from the impact of bad clicks is even better.

“For businesses, it’s important to build resiliency and shut off as many common attack routes as possible. For example, cyber criminals study patches on release to reverse-engineer the vulnerability being patched and can rapidly create exploits to use before organisations have patched. So, speeding up patch management is important.

“Many of the most common categories of threat, such as those delivered via email and the web, can be fully neutralised through techniques such as threat containment and isolation, greatly reducing an organisation’s attack surface, regardless of whether the vulnerabilities are patched or not.”